1. Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida

2. Acknowledgement Some contents are from the book:
“The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy”, Second Edition

3. SET: Social Engineering Attack
Kali Linux has a toolset for social engineering attack
Similar to Metasploit toolkit in term of comprehensiveness
A good webpage tutorial:
kali-linux/
A good YouTube video tutorial:

4. SET: Social Engineering Attack
setoolkit
Select 1, social engineering attack

5. SET: Social Engineering Attack
We first focus on website attack where SET clones a fake webserver with ‘credential haverster attack’ to obtain victim’s login credential   
Put attack’s machine IP address here
for setting malicious fake webserver

6. SET: Social Engineering Attack
Put target webserver’s URL here for clone
Then, a user who connects to might think
He is connecting to the real facebook.com! And his login input will pass
To the attacker’s machine!

7. SET: Social Engineering Attack
If a user inputs his facebook.com account information in the fake website,
the login information (by HTTP POST method) will be recorded down by SET!
When I input username: and password: cnt5410l in the webpage,
On the Kali Linux:

8. SET for Web Server Attack
Besides credential harversting, SET can set up malicious web server for drive-by download attack:
Put attack’s IP address here for fake webserver

9. SET for Web Server Attack
Now the malicious webserver is up and running
On victim’s IE browser, facebook.com shows up with Java Applet warning:

10. Basic of Web Hacking
Analyze response from webserver and inspect for vulnerabilities:
Web Server vulnerability scanner
Intercept request as they leave your browser by using intercepting web proxy
Find all the web pages, directories, and other files that make the web appliation:
Clone
Find secrete information

11. Nikto: Web Server Vulnerability Scanner
Type the program: Kali# nikto

12. Nikto: Web Server Vulnerability Scanner
-h: target name or IP
-p: port number to scan
-p 80, 443; p
OSVDB-xxx: google to find detail of each
Attention: Do not try Nikto to sensitive web servers!
It generates a flood of web probing traffic

13. webscarab: Web Spider and Interceptor
webscarab
Configure Kali browser to use webscarab as proxy
It serves as a proxy that intercepts and allows people to alter web browser web requests (both HTTP and HTTPS) and web server replies. [from Wikipedia]
A youtube tutorial:

14. webscarab: Web Spider and Interceptor
Configure Kali browser to use webscarab as proxy
Configure Iceweasel’s Preference  Advanced  Network  Connection Setting…
Be sure to remove entries under the “No Proxy” box!
In this way, webscarab is a powerful web traffic monitoring and interceptor

15. webscarab: Web Spider and Interceptor
Connect to the targeted web server once
Right click the URL on Webscarab’s summary, then click “Spider Tree” will spider the web server

16. webscarab: Request/Response Interceptor
You can intercept some requests, modify them before they are sent to the server.
Choose “Proxy” tab, choose the "Manual Edit" tab. Once you click the "Intercept Requests" checkbox, you can choose which request methods you wish to intercept (most commonly GET or POST)

17. webscarab: Request/Response Interceptor
Go back Kali browser and click a link, it will be intercepted and webscarab shows the following window
You can now edit any part of the request field.
you uncheck the "Intercept requests" checkbox, either in the intercept conversation window, or in the "Manual Edit" tab of the Proxy plugin.

18. Owasp-zap: Bringing it all together under one roof
Owasp-zap contains all web-based hacking toolkit:
Intercepting proxy, sipdering, web vulnerability scanning
owasp-zap

19. Owasp-zap Web vulnerability scanning
Input target web URL under the “quick start” panel
Make sure you are given permission to scan the target webserver!
Here we scan the metasploitable Linux VM

20. Owasp-zap Web vulnerability scanning But it takes LONG LONG time!
All scanning results will be housed in the “Alerts” tab for easy review

21. Owasp-zap Set as Browser Proxy
For web traffic intercepting/modification, we first need to add zap as the browser proxy
Similar to webscarab, but the port number is instead of 8008

22. Owasp-zap
Spidering a website: right click a target URL  “Attack”  “Spider..”

23. Owasp-zap Maybe most useful: Request/Response Intercepting
Check and see if a website can securely handle abnormal inputs
What would the website do if I tried to order “-5” TV?
What would the website do if I tried to get $2000 TV for $20?
What if I sign in without providing username or password variables?
Step 1: set break point for outgoing/incoming web traffic
Step 2: Use the browser to visit the target website, the owasp- zap will pop up with the HTTP GET request shown up
The web browser will hang there waiting for the Zap to continue to send request out
Set break point

24. Owasp-zap
Step 2: Use the browser to visit the target website, the owasp- zap will pop up with the HTTP GET request shown up
The web browser will hang there waiting for the Zap to continue to send request out
Step 3: Modify the Request content, then click “continue”
The modified Request content will be sent to the target website.

25. WebGoat: A Vulnerable Platform for Web-based Attack Training
Concept is similar to Metasploitable Linux VM
Developed by OWASP organization
Built on top of J2EE, can be run on any OS
Download the “Easy Run” code from:
java -jar webgoat-container-7.1- exec.jar
In Kali Browser,
type in URL:
The webserver runs on 8080 port

26. Pre-Knowledge for SQL injection Attack Lesson in WebGoat
Webpage account login:
Username: czou
Password: *********

27. Pre-Knowledge for SQL injection Attack Lesson in WebGoat
Backend database:
$result = mysql_query(
“SELECT * FROM Accounts”.
“WHERE Username = ’$username’”.
“AND Password = ’$password’;”);
if (mysql_num_rows($result)>0)
$login = true;

28. Pre-Knowledge for SQL injection Attack Lesson in WebGoat
Webpage account login:
Username: czou’ OR 1=1;/*
Password: *********

29. Resulting SQL query SELECT * FROM Accounts
WHERE Username = ’czou’ OR 1=1;/*’
AND Password = ’*******’;

30. Resulting SQL query SELECT * FROM Accounts
WHERE Username = ’czou’ OR 1=1;
/*’ AND Password = ’*******’;
No password is checked!

31. SQL injection
Vulnerability: any application in any programming language that connects to SQL database
The common theme to injection attacks:
Concatenate strings
Interpret the result strings
Actions according to contained commands

32. WebGoat Example: Lab SQL Injection: Stage 1: String SQL Injection
Let us do the Lab SQL injection (Stage 1)
For this, we need to input special password: ‘ or ‘1’=‘1
But, the password field cannot support so many characters!

33. WebGoat Example: Lab SQL Injection: Stage 1
Solution: use owasp-zap web interceptor
One issue, owasp-zap uses the same 8080 port as WebGoat
Solution: Change the default port of Zap
Select Zap menu “tools”  “option..”  “local proxy”
Set up the Kali browser to use proxy on the modified port
Remember to remove “no proxy on localhost” option
A youtube video tutorial (non-English):

34. WebGoat Example: Lab SQL Injection: Stage 1
After your browser shows the password input page, Enable “Break point” on all request/response on owasp-zap
Click webGoat login button, request will be intercepted
On the intercept pop-up page, select “Table (adv)” option for head field, then the SQL fields will show up
Now you can modify the password field with arbitrary text you want!
After modification, click the “continue” button to send out the request